telnet from routed ip subet to asa 5580

Unanswered Question
Feb 5th, 2009
User Badges:


I am trying to telnet and ssh to the asa from the inside routed subnet, then its not happening. but when i do telnet from the directly connected subnet of the asa it works.

does its the constraint of asa or anything can be done on this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Thu, 02/05/2009 - 09:25
User Badges:
  • Green, 3000 points or more

It all depends how you have configured in asa to allowing sources for ssh and telnet.

can you post the output of

show run | inc telnet

show run | inc ssh


as well as provide the source ip of your routed subnet ou are telneting from usually you can see the error and source IP in ASDM..

If you could provide this info we could assist better.


santoshm_75 Thu, 02/05/2009 - 20:06
User Badges:


Please find the configuration of the firewall. The routed network from the inside zone is The hos t ip address in this subnet is

route Internal_Firewall 1

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http Admin_zone

http Internal_Firewall

telnet Admin_zone

telnet Internal_Firewall

telnet timeout 30

ssh Admin_zone

ssh Internal_Firewall

ssh timeout 5

ssh version 2

Please find the access log of the same activities attached for your reference.


JORGE RODRIGUEZ Fri, 02/06/2009 - 10:23
User Badges:
  • Green, 3000 points or more

Im not clearly geting your logical setup in relation to where you are trying to ssh from and to , also there seems to be a TCP RESET-I which tells me you are not initiating the ssh towards the right firewall interface, or Im missing something.

You have

route Internal_Firewall 1

but looking at your logs:

Inbound TCP connection denied from to flags SYN on interface Internal_Firewall

you are trying to http from network by source to firewall interface or destination IP which if Im not mistaken 165 could be an interface IP address of firewall for network

if you want to ssh/telnet/https to the firewall from a hosts behind a routed network through one of your firewall interfaces those hosts have to telnet/ssh/or https to towards the interface in the firewall they reside under.

Meaning , if wants to ssh/http/telnet to firewall it needs to do it towards the firewall interface ip this network is being routed under. The same applies for sources under telneting or ssh through firewall interface they are under.

santoshm_75 Sat, 02/07/2009 - 01:37
User Badges:


I am not trying to telnet/ssh/hhtp to the management interface but i am trying to the interface which is connected to the routed interface. The ip address is, this is the inside interface of the firewall getting connected to the network where in the routed area exists.

When i telnet to the internal interface of the firewall it drops the connection.


Tshi M Mon, 02/09/2009 - 05:01
User Badges:
  • Silver, 250 points or more


I am a bit confused. Your log shows a deny to but you mentioned that you are trying to http,ssh,telnet to Is that correct? Can you ping from

santoshm_75 Mon, 02/09/2009 - 06:21
User Badges:


Yes I can ping from to, but when i telnet or ssh or http, it drops the connection.


Tshi M Mon, 02/09/2009 - 06:28
User Badges:
  • Silver, 250 points or more

Could you please poste your firewall config? I am still a bit confused about the log since it is reporting deny to a different address and not



This Discussion